JP2005521142A - Certification information storage device and certification information storage method - Google Patents

Abstract

A system and method of storing in a computer device digital certificate data from a digital certificate are provided. When a digital certificate is received at the computer device, it is determined whether the digital certificate data in the digital certificate is stored in a first memory store in the computer device. The digital certificate data is stored in the first memory store upon determining that the digital certificate data is not stored in the first memory store.

Description

  This application relates generally to secure electronic message communications, and more particularly to storing cryptographic information contained in an electronic message in a memory of a computer device.

BACKGROUND This application claims the benefit of US Provisional Patent Application No. 60 / 365,516, filed Mar. 20, 2002, the entire disclosure of which is incorporated herein by reference.

2. Description of the State of the Art Well-known secure messaging clients, such as email software applications running on computer equipment, store data separate from other information to store secure messaging information. A storage device or data storage area is maintained. Such secure message communication information includes digital certificates, public keys and the like. Other information includes contact information such as an address book, schedule information such as memorandums and appointment schedules, and the like. The digital certificate includes information related to other types of stored information. For example, a digital certificate typically includes an entity's public key and one or more digital signatures as well as identity information linked to that public key. When a messaging client loads and uses a digital certificate into the system and the contact information for the entity is not already stored in an address storage device that the client can access, the user Every time you add contact information with an entity identified in it to an address book or similar contact list stored in a messaging client, or send a message to an entity, that entity's address Must be entered by hand.

Extract digital certificate information from the summary digital certificate, determine whether the extracted digital certificate information is stored in the storage device of the message communication client, and if the extracted digital certificate information is not stored in the storage device A method for storing digital certificate information from a digital certificate received by a messaging client in accordance with a feature of the present invention, comprising the step of storing the extracted digital certificate information in its storage device.

  A digital certificate loader module configured to receive a digital certificate, and after the digital certificate loader module receives the digital certificate, extracts the digital certificate information from the digital certificate and extracts the extracted digital certificate information Is stored in the entry in the first data storage device, and if the extracted digital certificate information is not stored in the entry in the first data storage device, the extracted digital certificate information is A system for storing digital certificate information in a messaging client in accordance with another aspect of the present invention including a digital certificate information injector module configured to store in an entry in a first data storage device.

  According to a further feature of the present invention, there is provided a method for managing digital certificate data stored in a mobile communication device, wherein the digital certificate data transmitted to the mobile communication device is received and the transmitted digital certificate data is transferred to the mobile communication device. A method comprising the steps of updating and storing the memory store for transmitted digital certificate data not stored in the memory store as compared to the digital certificate data stored in the memory store in the communication device.

DETAILED DESCRIPTION Security messages are messages that are digitally signed, encrypted, or otherwise processed to ensure one or more of data confidentiality, data integrity, and user authentication. Is included. For example, a secure message may take the form of a message signed by the sender, encrypted, encrypted and then signed, or signed and then encrypted. These processes can be performed according to well-known standards such as the secure multi-purpose Internet mail extension (S / MIME) standard.

  FIG. 1 is a configuration diagram of a message communication system. There are many different types of message communication systems, and the system shown in FIG. 1 is one of many ways in which the systems and methods disclosed in this document can be used.

  The system 10 includes a wide area network (WAN) 12 to which a computer device 14, a wireless network gateway 16 and a corporate local area network (LAN) 18 are connected. The wireless network gateway 16 is also connected to the wireless communication network 20 and is configured such that a wireless mobile communication device (hereinafter, mainly referred to as a mobile device) operates.

  Computer device 14 represents a desktop or laptop personal computer configured to connect to WAN 12. This WAN 12 may be a private network or a larger publicly accessible network such as the Internet. A personal computer, such as computer device 14, typically accesses the Internet through an Internet service provider (ISP), application service provider (ASP), or similar.

  The corporate LAN 18 is an example of a network-based message communication client. As shown in the figure, the corporate LAN 18 is usually arranged behind the security firewall 24. In the corporate LAN 30, there is a message server 26 operated for computers in the firewall 24, both for exchanging messages within the LAN 18 and for exchanging messages with various external messaging clients via the WAN 20. It functions as the main interface for companies. The two most common servers for the message server 26 are the Microsoft® Exchange and Lotus Domino® server products. These servers are often used in conjunction with Internet routers that route and deliver mail. Dynamically with a predefined database format for data such as schedules, to-do lists, assignment lists, emails and document creation, extending the message server 26 beyond just sending and receiving messages A function like a database storage engine can be provided.

  Message server 26 provides message communication capability to one or more computer devices 28 in LAN 18. A general LAN includes a plurality of computer devices as generalized as computer devices 28, each of which has a message communication function, and in most cases software such as Microsoft Outlook (registered trademark). A message communication client is executed as a wear application. In the network 18, the message server 26 receives the message, delivers it to the appropriate mailbox for the user account addressed in the received message, and one computer of one or more computer devices 28. The user accesses it through. The message communication client in the LAN 18 runs on the computer device 28, but there are also well-known message communication clients that work with portable devices and other devices and devices with electronic message communication capabilities. Similar to the message server 26, the message communication client can have functions other than the message communication.

  The wireless network gateway 16 provides an interface to the wireless network 20 through which messages can be exchanged with the mobile device 22. The wireless network gateway 16 performs functions such as addressing to the mobile device 22, encoding or otherwise converting messages for wireless transmission, and other unnecessary interface functions. When the wireless network gateway 16 is configured to operate by being connected to a plurality of wireless networks 20, the wireless network gateway 16 determines the network most likely to be able to confirm the location of a predetermined user. It is also possible to track the movement of users between countries and networks.

  Any computer device that maintains access to the WAN 12 can exchange messages with the mobile device 22 through the wireless network gateway 16. Alternatively, a private wireless network gateway such as a wireless virtual private network (VPN) router can be implemented to provide a private interface to a wireless network such as 20. For example, a wireless VPN running in the LAN 18 provides a private interface through the wireless network 20 from the LAN 18 to one or more mobile devices.

  Such a private interface to a wireless device via the wireless network gateway 16 and / or the wireless network 20 includes an entity external to the LAN 18 by providing a message forwarding or redirecting system that operates with the message server 26. Can be effectively expanded to. In this type of system, incoming messages received by the message server 26 and forwarded to the user holding the mobile device 22 are, for example, a wireless network interface, such as a wireless VPN router, gateway 16 or other interface. Through, the output destination is changed for the user who owns the wireless network 20 and the mobile device 22. An exemplary output redirection system running on message server 26 is disclosed in U.S. Pat. No. 6,219,694, entitled “Mobile to Hold Shared Electronic Address from Host Device,” which is hereby incorporated by reference in its entirety. It will be of the kind announced in “Systems and Methods for Pushing Information to Data Communication Devices”.

  In a wireless network such as 20, messages are typically exchanged through RF transmissions between base stations in the wireless network 20 and mobile devices. Modern wireless networks typically serve thousands of subscribers, each having a mobile device. The wireless network 20 is one of many different wireless networks, such as a data-centric wireless network, a voice-centric wireless network, and / or a dual mode network capable of supporting both voice and data communications at the same physical base station. May be one. Dual mode networks include, but are not limited to, recently developed code division multiple access (CDMA) networks, group-special mobile or global system for mobile communications (GSM), And General Packet Radio Service (GPRS) and future third generations (3G) such as Enhanced Data Rates for Global Evolution (EDGE) and Universal Mobile Telecommunications Systems (UMTS) ) Network included. GRPS is a data overlay to the GSM wireless network and operates in almost every country in Europe. In addition to these illustrated wireless networks, other wireless networks can be used.

  Other examples of data-centric networks include, but are not limited to, Mobitex® radio network (“Mobitex”) and Datatack® radio network (“DataTack”). Examples of traditional voice-centric data networks include CDMA, Personal Communications Systems (PCS) such as GSM, and Time Division Multiple Access (TDMA).

  The mobile device 22 may be a data communication device, a voice communication device, or a multimode device having voice, data, and other types of communication capabilities. Further details regarding a typical mobile device 22 are described below in connection with FIG.

  Probably the most common type of message communication used today is email. In a standard e-mail system, an e-mail sender sends an e-mail message, possibly through a message server and / or service provider device, typically to one or more message recipients over the Internet. It is done. Email messages are usually sent unencrypted, and traditional Simple Mail Transfer Protocol (SMTP), RFC822 headers and MIME body parts are used to define the format of the email message. The As described briefly above, the message sent to the addressed message recipient can be redirected to the mobile device. Because wireless concatenation cannot be secured in the same way as a physical wired connection, messages transmitted over a wireless network are often encrypted. The combined use of a secure transmission mechanism between the message sender and each recipient further improves overall message security.

  In recent years, secure message communication techniques have been developed to protect both the content and integrity of messages such as email messages. S / MIME and Pretty Good Privacy (R) (PGP (R)) provide encryption to protect data content and signatures to protect message integrity, and send by sender Two published secure email message communication protocols that provide authentication.

  FIG. 2 is a block diagram illustrating a message communication system and secure email exchange. The message communication system in FIG. 2 illustrates the components involved in the case of an email exchange between an email sender 30 and two messaging clients operating on a mobile device 22. There are many other components involved in the overall message communication system and in the path of sending messages from the sender to the recipient mobile device 22, but are shown in FIG. 2 to avoid congestion of the drawing. Not. FIG. 2 shows an encrypted and signed message as an example of the security message. The systems and methods disclosed in this document are equally applicable to messaging clients that can send and receive other types of security messages. The sender system user configures the messaging client to send either secure or non-secure messages, for example by default configuration or choosing one for each message Can do.

  The system of FIG. 2 includes an email sender 30 configured to access the WAN 32. Wireless gateway 34 provides an interface to wireless network 36 in which mobile device 22 is adapted to operate.

  The email sender 30 may be a personal computer such as the device 14 in FIG. 1 or a computer connected to a network such as 28, for example. It may also be a mobile device that allows this email sender to create and send an email message. WAN 32, wireless gateway 34, wireless network 36, and mobile device 22 are substantially the same as the components similarly labeled in FIG.

  In accordance with a secure message communication scheme such as S / MIME and PGP, message 40 is encrypted using a single session key selected by email sender 30. This session key is used to encrypt the message body, which is then itself encrypted using the public key of the message recipient at each destination sending the message. The message 40 encrypted by such a method includes an encrypted message body 44 and an encrypted session key 46. In this type of encryption scheme, a message sender, such as email sender 30, must have access to the public key of each entity that sends the encrypted message.

  A sender of a secure email message, such as 30, typically signs a message by creating a digest of the message and signing the digest using the sender's private key. The digest may be, for example, a message, a checksum, a cyclic redundancy check (CRC), a digest algorithm such as a message digest algorithm (MD5), a hash algorithm such as a secure hashing algorithm (SHA-1), Or, preferably, it can be created by performing other irreversible actions. In the example shown in FIG. 2, both the encrypted message body 44 and the encrypted session key are used to create a digest. The sender 30 then signs this digest using the sender's private key. This signature private key is used, for example, to create a digest signature by performing encryption or other conversion processing on the digest. Next, a digital signature including the digest and digest signature is attached to the outgoing message as shown at 42. The sender's digital certificate includes the sender's public key and one or more digital signatures, as well as identity information that leads to that public key. Any chained digital certificate and certificate revocation list (CRL) associated with the chained digital certificate can also be attached to the secure message 40.

  In S / MIME, digital signatures and any digital certificates and CRLs, if included, are usually placed at the beginning of the message as shown in FIG. Messages according to other secure message communication schemes may arrange message components in an order different from the order shown, and may include additional and / or different components. For example, security message 40 includes at least the destination and possibly other header information that may be signed but generally is mostly unencrypted.

  When sending a secure email message from the sender 30, it is sent through the WAN 32 to the wireless gateway 34. As described above, the email sender 30 can also send the message 40 directly to the wireless gateway 34, and instead forward the message 40 to a computer device coupled to the mobile device 22, where the wireless gateway The output destination can be changed to the mobile device 22 through 34. As an alternative, a message can be sent or redirected to the mobile device 22 through the wireless network 36 via a wireless VPN router.

  The recipient of such a signed message, the mobile device 22 in the case shown in FIG. 2, can verify the digital signature 42. To verify the digital signature 42, the user of the mobile device uses a digital signature verification algorithm and the sender's public key corresponding to the signature creation algorithm used by the sender of the message. Or in the digital signature 42. If the sender's digital certificate is included in the security message, the sender's public key can be extracted from the digital certificate. Instead, the sender's public key, for example if the public key is extracted from the sender's previous message and stored in a key storage area in the recipient's local storage, or before the sender Can be read from the local storage device or from the public key / server (PKS). A PKS is usually a server connected to a certificate authority (CA), from which a digital certificate of an entity including a public key can be obtained. The PKS may be located in a corporate LAN, such as LAN 18 in FIG. 1, or somewhere in the WAN, the Internet, or other network or system through which message recipients can establish communication with the PKS. Sometimes.

  The digital signature algorithm and digest algorithm are publicly known, but the sender signs the original message using his own private key. Thus, the entity that modified the original message cannot create a digital signature that can be verified with the sender's public key. If the sent message is changed to an attacker after the sender has signed, digital signature verification based on the sender's public key is not possible. These mathematical operations do not prevent anyone from viewing the contents of the secure message, the message is not tampered with because the sender's signature is signed, and the message is “from” the message. Ensure that it is signed by the person indicated in the column.

  Even when the digital signature 42 is verified, and sometimes even when the digital signature verification does not work, the encrypted message body is decrypted before display or subsequent processing. The message recipient uses his private key to decrypt the encrypted session key 46, and uses the decrypted session key 46 to decrypt the encrypted message body 44, thereby Play the message. In general, a user side treatment such as inputting a password or a passphrase is necessary for decoding. Normally, the encrypted message is stored in the receiver message communication client in an encrypted format. Each time the message is displayed or otherwise processed, it is first decrypted. Those skilled in the art will appreciate that an entity may hold multiple associated encryption key pairs, such as a signing private / public key pair and an encryption private / public key pair. Thus, the mobile device 22 can use one private key to decrypt the encrypted message body 44 and use a different private key to digitally sign outgoing security messages.

  The encrypted message addressed to a plurality of recipients includes an encrypted version of the session key for each recipient and is encrypted using each recipient's public key. Each recipient performs the same digital signature verification task but uses his own private key to decrypt one of the different encrypted session keys.

  Thus, in a secure messaging system, the sender messaging client must have access to the public key of any recipient that sends the encrypted message. The recipient messaging client must obtain the sender's public key to verify the digital signature in the signed message, but the messaging client can obtain it through various mechanisms.

  The public key is usually included in the digital certificate. As described above, in general, a digital certificate for any particular entity includes identity information that leads to the public key of the entity and the public key for the digital signature. Currently, several types of digital certificates are in widespread use, including, for example, X509 type digital certificates that are commonly used in S / MIME. PGP uses digital certificates in a slightly different format. You can also use other digital certificates, such as digital certificates that follow a dedicated standard.

  The digital signature in the digital certificate is created by the issuer of the digital certificate, and as described above, the recipient of the message can securely confirm. The digital certificate can include an expiration date or validity period so that the messaging client determines whether the digital certificate has expired. Verification of the validity of a digital certificate may include tracking the authentication path through the digital certificate chain, which means that the user's digital certificate and the user's digital certificate are authentic. Other digital certificates for verifying are included. The digital certificate can also be checked against the CRL to ensure that the digital certificate has not been revoked.

  If the digital signature in a digital certificate for a particular entity is valid, the digital certificate has not expired, has not been revoked, and trusts the issuer of the digital certificate or chained digital certificate The public key in the digital certificate is determined as the public key of the entity (also referred to as the subject of the digital certificate) that issued the digital certificate.

  Messaging clients can obtain digital certificates from several publishers. If a digital certificate is attached to the received message, the digital certificate can be extracted from the message and stored in the memory store of the recipient message communication client. Alternatively, a digital certificate can be requested and downloaded from a PKS on the LAN, the Internet, or other network with which the requester has established communication. It is also conceivable that the message communication client loads a digital certificate from an issuer other than PKS. For example, many recent mobile devices are configured to be connected to a personal computer. By connecting a mobile device to a personal computer and downloading a digital certificate via a physical connection such as a serial port or a USB port, wireless digital certificate transmission can be reduced. If you use such a physical connection to load the digital certificate of each entity that the user expects to send an encrypted message, when sending the encrypted message to any of these entities, There is no need to download a digital certificate. Similarly, the user has loaded the digital certificate of any entity that is expected to receive a signature message from it, and one of those entities has attached the digital certificate to the signature message. Even without it, the signature can be verified.

  If a digital certificate is stored and the messaging client has access to it, a well-known messaging client must be able to contact that subject if it does not store contact information with each digital certificate's target entity. Request to manually enter the contact information with the entity. When downloading a plurality of digital certificates to one mobile device, it may be troublesome to manually input contact information related to each digital certificate. Also, other information on the digital certificate, such as the expiration date or validity period of the digital certificate, is important for the messaging client's work and can be cumbersome to enter manually.

  In one embodiment, when individual digital certificates are loaded onto the mobile device 22, the digital certificate information is extracted and an address book or similar contact information storage area on the mobile device 22, possibly. Store in other data storage area.

  FIG. 3 is a configuration diagram of the mobile device 22 having a digital certificate information storage area. Further details of an exemplary mobile device 22 are described in connection with FIG.

  As shown in FIG. 3, a mobile device 22 incorporating a digital certificate information storage system includes a memory 52, a digital certificate loader 60, a contact information injector 62, a keyboard and user interface (UI) 64, a wireless transceiver 66, And an organized or universal serial bus (USB) port 68. The memory 52 preferably has a digital certificate storage area 54, an address book 56 for storing contact information, an extracted digital certificate information storage area 57 for storing other digital certificate information, and an application data storage area 58. As shown in FIG. 3, a plurality of different storage areas or data storage devices are included. Other data can also be stored in the memory 52.

  Memory 52 is a writable storage device such as RAM or flash memory into which other components of the device can write data. The digital certificate storage area 54 is a dedicated storage area for storing the digital certificate in the device 22. The digital certificate may be stored in the storage area 54 after it has been received, or alternatively, it may be parsed or otherwise converted to a storage format before being written to the storage area 54. . The address book 56 is a contact information storage area for storing contact information regarding entities with which the user of the mobile device 22 may exchange messages. This address book can store an actual address, an e-mail address, and other contact information in addition to or instead of information used for message communication using the mobile device 22. Extracted digital certificate information storage area 57 processes specific digital certificate information more easily and quickly, and software applications installed on other devices and devices of mobile devices can more easily and quickly process digital certificate information. In order to be able to use it, various information from the digital certificate stored in the digital certificate storage area is stored. For example, the expiration date or validity period can be extracted from the digital certificate and used by the user of the mobile device 22 to create an appointment or reminder so that when the stored digital certificate expires, It will be possible to present to the user information regarding invalidation. The application data storage area 58 stores data related to the software application on the mobile device 22, and represents one explanation example of various types of information that can be stored in the memory 52. Further, in addition to the device system shown in FIG. 3, another system can use the memory 52.

  The digital certificate loader 60 is generally executed as a software module or application, and manages loading of the digital certificate onto the mobile device 22. As described above, mobile devices can obtain digital certificates from various issuers. Thus, the digital certificate loader 60 could be coupled to the wireless transceiver 66 and communication modules such as serial and USB ports 68 to request and receive digital certificates through them. For example, when receiving or sending a security message from an entity whose digital certificate is not stored in the digital certificate storage area 54, the mobile device 22 requests a digital certificate from the PKS through the wireless transceiver 66. And can receive a digital certificate from the digital certificate issuer upon request through the wireless transceiver 66. In addition, a digital certificate can be downloaded onto the mobile device 22 by using a serial or USB port 68 connected to a personal computer equipped in the same manner.

  A digital certificate information injector 62 monitors the digital certificate storage area 54 and preferably detects that a new digital certificate is stored in the digital certificate storage area 54. Alternatively, the digital certificate loader 60 can be configured to notify the digital certificate information injector when a digital certificate is loaded on the device 22. If it is determined that a new digital certificate has been stored in the digital certificate storage area 54, the digital certificate information injector 62 extracts information from the digital certificate. When the contact information is extracted, the digital certification information injector 62 uses the extracted contact information to provide a new entry in the address book 56, or the extracted contact information is stored in the address book 56. The extracted contact information is stored in the address book 56 instead of being stored in the entry.

  Prior to making an entry in the new address book 56, the digital certificate information injector 62 checks the address book 56 and preferably the contact information or any portion thereof is already one of the entries in the address book 56. Determine if it exists. For example, when the target name in the digital certificate is expressed using an e-mail address, the digital certification information injector 62 searches for the e-mail address in the address book 56, and the e-mail address is the address book 56. A new address book entry can be provided only if it is not found in. When the entry of the digital certificate object exists in the address book 56, the digital certificate extracted by the digital certificate information injector 62 includes additional contact information, and the digital certificate information injector 62 If so, the digital certificate information injector 62 checks the existing object entry and preferably determines whether the additional contact information is also present in the address book entry. If not, preferably, the additional contact information is stored in the existing entry and the existing entry is updated. In this way, the digital certification information injector 62 updates the address book 56 by adding a new entry to the address book 56 using the extracted information or storing the extracted information in an existing entry. can do.

  Similarly, the digital certificate information injector 62 can extract other information from the digital certificate loaded in the mobile device 22 and store it in a different storage device or storage area 57. For example, as briefly described above, a digital certificate can include revocation or validity information that can be used by a mobile device user to develop a promise or memorandum. The user can be alerted when it is terminated, invalidated, or likely. In this example, the digital certificate information injector 62 extracts the subject name and revocation or validity information of the digital certificate, and preferably checks the extracted digital certificate information storage area 57 to find an entry for that subject. Determine if it already exists. If it does not exist, a new entry, that is, a new memorandum or promise column is created in the storage area 57 using the extracted digital certificate information. If the entry for the object already exists in the storage area 57, the revocation or validity information in the existing entry can be checked to determine if it is identical to the extracted information. If they are not the same, the existing entry is preferably updated with the information extracted by the digital certificate information injector 62. This is useful, for example, when loading a new digital certificate and replacing it with a digital certificate that has not yet expired. Thus, as described above, the digital certificate information injector 62 updates the storage area 57 by adding a new entry using the extracted information or storing the extracted information in an existing entry. be able to.

  Similarly, other information in the digital certificate can be extracted and stored in the memory 52 on the mobile device 22. The user of the mobile device can configure the type of digital certificate information to be extracted and stored, for example, by adjusting settings related to the digital certificate information injector 62.

  In another embodiment, the digital certificate information injector 62 accesses the digital certificate storage area 54 to extract the digital certificate information. The individual mechanism for extracting the digital certificate information from the stored digital certificate depends on the format used when the digital certificate is stored in the digital certificate storage area 54. When the digital certificate is stored in the digital certificate storage area 54 in the format as received, the digital certificate information injector 62 reads the digital certificate from the digital certificate storage area, and the digital certificate information is stored in the digital certificate storage area 54. Parse or otherwise convert the digital certificate into an appropriate format so that it can be identified and extracted. When the digital certificate loader 60 parses or converts the received digital certificate and the parsed data is stored in the digital certificate storage area 54, the digital certificate information injector 62 Only the relevant information column is read from the parsed data in the digital certificate storage area 54 as required to fill in the entry fields in the data storage areas 56 and 57. In the latter example, the digital certificate loader 60 can hand the digital certificate information from the digital certificate to the digital certificate information injector 62, where the digital certificate information injector 62, as described above, has its digital certificate information. Are stored in the address book 56 and the extracted digital certificate information storage area 57.

  In the construction of the digital certificate information storage system as shown in FIG. 3, it is preferable not to exclude the input of address books and other information via the input means such as the keyboard / UI 64. If the user wants to add or change contact information to the information in an existing address book entry, or add a new address book entry manually, from time to time, for example, keyboard / A UI 64 or other input device provides manual input and editing of contact information.

  Although a single memory 52 is shown in FIG. 3, the mobile device 22 can include a number of different memory units, and storage areas 54, 56, 57, 58 can be separated into separate memory units. Can be built. However, the overall operation of the digital certificate information storage system in a plurality of memory systems is substantially the same as described above.

  The system and method disclosed in this document is not limited to a structure such as a mobile device having the memory arrangement shown in FIG. For example, an additional data storage device can be provided and configured to store information extracted from the digital certificate. The extracted digital certification information storage area 57 is intended as a general example of a storage device for digital certification information other than contact information. Similarly, digital certificate information can be extracted and stored in a smaller number of data storage areas. For example, only one type of digital certificate information and contact information can be automatically stored.

  In FIG. 3, the digital certificate loader 60 and the digital certificate information injector 62 are illustrated as separate blocks, but the digital certificate loader 60 and the digital certificate information injector 62 may be configured as a single software module or separately. It can also be implemented as a software module.

  Also, the digital certificate information storage system can be created in the application data storage area 58 or updated. In the above example of creating or modifying a memorandum or appointment based on revocation or validity information extracted from a digital certificate, the schedule or schedule software on the mobile device 22 is generally The application will use such reminders and promises.

  Digital certificate information storage can also be applied to other types of systems than the mobile device 22. For example, in a desktop or laptop computer, it is easier to input data than the mobile device 22, and the time and effort required to manually input digital certificate information for each digital certificate stored in the system. Is less.

  FIG. 4 is a flow diagram illustrating a method for storing digital certificate information. The method begins at step 70, which is when the digital certificate is loaded on the device, such as when it is detected that the digital certificate is stored in the digital certificate storage area. . In step 72, digital certificate information is extracted from the digital certificate. In order to prevent creating duplicate entries in the data storage area, preferably in step 74 the digital certificate information, or some of its information, such as an email address or entity name, is already in the data It is determined whether or not the entry exists in the storage area. If the digital certificate information already exists in the storage area, preferably the existing entry is examined to determine if there is any digital certificate information to add to the entry. As described above, in step 74, the name of the digital certificate entity can be used to check the entry in the data storage area, and in step 75, the existing entry is checked to determine the expiration date or validity period. It can be determined whether other extracted information such as is already stored in the existing entry. If the extracted additional information is not found in the existing entry, in step 77, the existing entry is updated by adding the additional extracted information.

  If the information extracted from the digital certificate is contact information, a security message flag is set in the address book entry that includes the extracted contact information or is updated in step 79. can do. Such a flag indicates that a digital certificate corresponding to the contact destination is stored. As a result, when a user sends a message to a contact, a digital certificate for the contact is received and loaded, or a digital certificate for the contact is received from an external digital certificate issuer. It is possible to easily determine whether a security message can be sent to the contact without obtaining it in advance. This flag or additional flag or indicator can also be used to send a confidential message to the contact, preferably according to a configurable default secure message communication mode. Alternatively, whenever a message with the secure message communication flag set is sent to the contact, for example one of the plaintext mode (no security) or the signature and / or encrypted security mode The user may receive an instruction to select.

  If the extracted digital certificate information is not found in any existing entry in the data storage device and the determination in step 74 is negative, a new entry is automatically created in step 78 and in step 80 The extracted information is stored in the entry field of the new entry. Therefore, in step 82, the security flag as described above is set in the new address book entry. This new entry can be used in the same way as any other entry in the data storage device or, in some cases, a similar entry in another data storage device, eg, editing, deleting, other Transfer, display and similar processing to the user can be performed. In the case of a new entry in the address book, the new entry can also be used to replace the addressing of outgoing messages and the sender's address in received messages with familiar names.

  FIG. 5 is a flow diagram illustrating a method for creating and transmitting a message that is the subject of digital certificate information stored in a digital certificate information storage system. The method begins at step 90 where a message is created at the starter 22 and addressed to one or more recipients. The user can specify a message destination, for example, by manually selecting an email address from the address book storage area 56 or replying to a message previously received by the mobile device 22.

  In step 92, the mobile device 22 determines whether the digital certificate information for the counterpart entity to which the message is addressed is stored in the digital certificate storage area 54 (or the extracted digital certificate information storage area 57). This determination can be made by checking the security message communication flag connected to the destination recipient or by searching for the recipient's electronic address in the digital certificate storage area 54 (or the extracted digital certificate information storage area 57). It can be carried out. If the digital certificate information is not stored in the digital certificate storage area 54, a list of “Certificate Information Absent” options are displayed, as shown in step 94. Therefore, the user selects one of the “Certificate Information Absent” options as shown in step 96. As shown in the explanatory diagram, for the display and optional selection of the “Certificate Information Absent” option, a digital certificate as shown in Step 98 is requested, the message is canceled as shown in Step 100, or in Step 102. Includes message sending options as shown.

  If the option to request a digital certificate for the destination recipient as shown in step 98 is selected, the message is stored in the mobile device 22 and the mobile device 22 receives the digital certificate for the digital certificate for the message destination recipient. Send a request to the publisher. Once the digital certificate is received, the user can select one of several security measures, such as a message key or a session key using the destination recipient's public key.

  If the option to discard the message as shown in step 100 is selected, the message communication operation is stopped and the created message is not transmitted.

  If the option to send a message as shown in step 102 is selected, the message is sent without restriction. Of course, the user can digitally sign the message using the private key and can also attach the user's digital certificate to the outgoing message.

    If the mobile device 22 determines in step 92 that the digital certificate information is stored in the digital certificate storage area 54, the mobile device 22 determines in step 104 that the digital certificate is a valid digital certificate. Determine if. If the digital certificate is not valid, step 94 is executed and steps 96, 98, 100, and 102 are subsequently executed as determined by the user.

  If the mobile device 22 determines in step 104 that the digital certificate is a valid digital certificate, the mobile device determines whether the default transmission flag is set as shown in step 106. To do.

  If the default transmission flag is set, the message is transmitted as shown in step 102. The default transmission flag can be set manually by the user or automatically. The automatic setting of the default transmission flag can be associated with the security message communication flag. In one embodiment, the secure message communication flag also performs the function of a default transmission flag. In other embodiments, the default transmission flag and the secure message communication flag are different flags that can be set separately or set as described above.

  Sending a message with a default send flag includes a digital signature on the message with the user's private key, attaching the user's digital certificate to the message, or other processing such as encrypting the message with the recipient's public key Execution can be included.

  If the mobile device 22 determines that the default transmission flag is not set, a list of “certificate information” options is displayed as shown in step 108. Therefore, the user selects one of the “certificate information” options as shown in step 110. As shown, the display and optional selection of the “Certificate Information” option includes the option to perform a security action on the message as shown in step 112, or send a message as shown in step 102. Yes.

  If the option to perform a security action on the message as shown in step 112 is selected, the digital signature of the message with the user's private key, the user's digital certificate One or more security actions may be performed on the message, such as attachment or encryption of the message with the recipient's public key.

  If the option to send a message as shown in step 102 is selected, the message is sent without restriction. Of course, the user can digitally sign the message using the private key and can also attach the user's digital certificate to the outgoing message.

  The process depicted in FIG. 5 is a single process, such as when a user responds to all recipients of a message previously received at the mobile device 22 or when a new message is sent to multiple recipients. It can also be applied to multiple recipients of a message.

  FIG. 6 is a flow diagram illustrating a method for performing work associated with a digital certificate based on events associated with the digital certificate. In step 120, the system detects the occurrence of an event associated with the digital certificate. A digital certificate event is a digital certificate, such as the receipt of digital certificate data to be stored in a digital certificate storage area, the occurrence of an associated scheduled date, or access to a digital certificate by either a user or an application program Event or work related to

  If the digital certificate event is a digital certificate storage event, in step 122, the digital certificate related data is stored in the digital certificate storage area and is associated with the digital certificate, such as the expiration date of the digital certificate. The schedule data to be stored is stored in the schedule application storage area.

  If the digital certificate event is a schedule event, in step 124, the schedule application confirms the end date of the validity period of the digital certificate based on the expiration date data stored in the schedule application storage area. A schedule event may occur when the mobile device is turned on and the resident schedule application program confirms the expiration date of the schedule data, or it may be due to the occurrence of a schedule event with predetermined expiration data. In step 126, the system determines whether an invalid (due to expiration date) digital certificate is found based on the schedule data. If invalid digital certificates are found, in step 128 the user is notified of these invalid digital certificates.

  If the digital certificate event is an access to a digital certificate, the system determines whether the accessed digital certificate is valid, as shown in step 130. As described above, access to the digital certificate is made when the user of the mobile device addresses a message to an address associated with the digital certificate stored in the digital certificate storage area, or when the user uses the digital certificate. Occurs when accessing a storage area and selecting a specific digital certificate. In step 132, the system determines whether the digital certificate is valid based on, for example, the digital certificate data stored in the digital certificate storage area, validity or revocation information, or CRL. If the digital certificate is not valid, at step 132 the user is notified of the invalid digital certificate.

  FIG. 7 is a structural block diagram of an automatic digital certificate information manager system. The digital certificate information manager 150 is preferably a software application that is stored on the mobile device 22 and is executable. In one embodiment, the digital certificate information manager 150 includes a digital certificate loader 62, a digital certificate information injector 62, and related components in the illustrative example, as described with respect to FIG.

  The digital certificate information manager 150 can monitor the digital certificate input event, the digital certificate access event 154, and the schedule event 156, and can execute functions corresponding thereto. For example, if the digital certificate information manager 150 detects a digital certificate input event 152, such as receipt of a message 152a containing a digital certificate to be stored or receipt of digital certificate data 152b, the digital certificate input -Event response function is executed. Typical response functions for digital certificate input events include storing digital certificate data in the digital certificate storage area, parsing the digital certificate data, and setting a message communication flag associated with the digital certificate. And updating an application storage area of the mobile device 22 such as a schedule application or an address book application storage area.

  The digital certificate information manager 150 specifies a message destination 154a to the address associated with the digital certificate stored in the digital certificate storage area, accesses the digital certificate storage area 154b, and selects or moves the digital certificate. When a digital certificate access event 154 is detected, such as access to a digital certificate by the device software application 154c, a function corresponding to the digital certificate access event is executed. Typical responses to digital certificate access events include checking the validity of a digital certificate and requesting a new digital certificate, notifying users when a digital certificate is invalid, and messages Implementation of security measures such as signatures, message encryption and similar actions.

  If the digital certificate manager 150 detects a schedule event 156, such as the expiration date of a digital certificate, the user is notified of the expiration of the digital certificate.

  FIG. 8 is a block diagram of a wireless mobile communication device as an example of a device in which the system and method disclosed in this document can be executed. The mobile device 600 is preferably a two-way communication device that retains at least voice and data communication capabilities. Mobile device 600 preferably retains the ability to communicate with other computer devices on the Internet. Depending on the functions provided by the mobile device, the mobile device can be a data message communication device, a two-way pager, a mobile phone with data message communication capability, a wireless Internet device, or a data communication device (with or without call capability). Will be called. As mentioned above, such equipment is simply referred to generically in this document as mobile equipment.

  Mobile device 600 includes transceiver 611, microprocessor 638, display 622, flash memory 624, random access memory (RAM) 626, auxiliary input / output (I / O) device 628, serial port 630, keyboard 632, speaker 634. , A microphone 636, a short-range wireless communication subsystem 640, and other equipment subsystem 643. The transceiver 611 includes transmit and receive antennas 616, 618, a receiver (Rx) 612, a transmitter (Tx) 614, one or more local oscillators (LO) 613, and a digital signal processor (DSP) 620. ing. The mobile device 600 includes in the flash memory 624 a voice communication module 624A, a data communication module 624B, and other operable modules 624N for performing other functions, including a microprocessor 638 (and A plurality of software modules 624A-624N that can be executed on the DSP 620).

  Mobile device 600 is preferably a two-way communication device with voice and data communication capabilities. Thus, for example, the mobile device 600 can communicate over a voice network such as any analog and digital cellular network, and can also communicate over a data network. In FIG. 8, the voice and data network is depicted as a communication tower 619. These voice and data networks may be communication networks using separate infrastructures such as base stations, network controllers, etc., or they may be a single wireless network in which they are integrated. Thus, the reference diagram of network 619 should be interpreted beyond the dimensions of a single voice and data network or separate networks.

  A communication subsystem 611 is used to communicate with the network 619. The DSP 620 is used to transmit and receive communication signals to and from the transmission device 614, and can exchange control information with the transmission device 614 and the reception device 612. A single LO 613 can be used in conjunction with a transmitter 614 and a receiver 612 when voice and data communications are performed on a single frequency or a closely spaced frequency set. Alternatively, when different frequencies are used for voice communication and data communication, a plurality of LOs 613 can be used and a plurality of frequencies corresponding to the network 619 can be generated. Although two antennas 616 and 618 are illustrated in FIG. 8, a mobile device 600 having a single antenna structure can be used. Information including both voice and data information is transmitted and received by the communication module 611 via a link between the DSP 620 and the microprocessor 638.

  The detailed design of the communication subsystem 611, such as frequency band, component selection, power level, etc., depends on the communication network 613 in which the mobile device 600 is intended to operate. For example, the mobile device 600 intended for operation in the North American market is designed to operate under a Mobitex or Datatack mobile data communications network, and it also has a variety of voices such as AMPS, TDMA, CDMA, PCS, etc. A communication subsystem designed to operate under any of the communication networks is included, and the mobile device 600 intended for Europe is configured to operate under the GPRS data communication network and the GMS voice communication network. Will be done. The mobile device 600 can be used for other types of both separate and integrated data and voice networks.

  Depending on the type of the network 619, access requirements for the mobile device 600 are different. For example, in the Mobitex and data tack / data communication networks, the mobile device is registered in the network in use using a unique identification number associated with each device. However, in a GPRS data network, access to the network is tied to subscribers and users of the mobile device 600. GPRS devices typically require a subscriber identity module (“SIM”), which is necessary to operate the mobile device 600 over a GPRS network. Without the SIM, local or off-network communication functions (if any) can operate, but without the SIM, except for legally required operations such as “911” emergency calls, the mobile device 600 Will not be able to perform any function that requires communication over the network 619.

  Once the unnecessary network registration and activation procedures are completed, the mobile device 600 can transmit and receive communication signals over the network 619, preferably including both voice and data signals. A signal received from the communication network 619 to the antenna 616 is sent to the receiving device 612, where operations such as signal amplification, frequency reduction conversion, filtering, channel selection, and analog / digital conversion are performed. More complex communication functions such as digital demodulation and decoding performed using the DSP 620 can be implemented by analog-to-digital conversion of the received signal. In a similar manner, a signal to be transmitted to the network 612 is processed by the DSP 620 including, for example, modulation and coding, and sent to the transmission device 614, where it is converted to digital-to-analog conversion, frequency up-conversion, and filtering. The wave is amplified and transmitted to the communication network 619 via the antenna. FIG. 8 shows a single transceiver 611 for both voice and data communications, but the mobile device 600 contains two distinct transceivers and the first transceiver is used for sending and receiving voice signals. The second transceiver can be used for transmitting and receiving data signals. A mobile device may be equipped with multiple transceivers and adapted to operate on multiple communication networks or in multiple frequency bands.

  In addition to processing the communication signal, the DSP 60 controls the receiving device and the transmitting device. For example, the gain level applied to communication signals on the receiver 612 and transmitter 614 can be adaptively controlled by an automatic gain control algorithm executed in the DSP 620. Various transceiver control algorithms can also be executed on the DSP 620 for more advanced control of the transceiver 611.

  Microprocessor 638 preferably manages and controls the overall operation of mobile device 600. Many types of microprocessors and microcontrollers can be used for this, and alternatively, a single DSP 620 can be used to implement the functions of the microprocessor 638. Low level communication functions, including at least data and voice communications, are performed by the DSP 620 in the transceiver 611. Other high-level communication applications, such as voice communication application 624A and data communication application 624B, can be stored in flash memory 624 and executed by microprocessor 638. For example, the voice communication module 624A can provide a high level user interface used to send and receive voice calls between the mobile device 600 and many other voice devices over the network 619. Similarly, the data communication module 624B sends and receives data such as email messages, files, organizer information, short text messages, etc. between the mobile device 600 and many other data devices via the network 619. A high level user interface can be provided. On the mobile device 600, for example, a secure messaging software application incorporating software modules corresponding to the digital certificate loader 60 and the digital certificate information injector 62 in FIG. In addition, the data communication module 614B can be connected to operate.

  Microprocessor 638 also includes display 622, flash memory 624, RAM 626 auxiliary input / output (I / O) subsystem 628, serial port 630, keyboard 632, speaker 634, microphone 636, short-range communication subsystem 640, and It interacts with other device subsystems, such as any other device subsystem, generically represented as 642. For example, modules 624A-624N may be executed by microprocessor 638 to provide a high level interface between the user and mobile device 600. This interface typically includes image components provided through display 622 and input / output components provided through auxiliary I / O 628, keyboard 632, speaker 634 and microphone 636. Such an interface is shown generically in FIG. 3 as a keyboard / UI.

  Some of the subsystems shown in FIG. 8 perform communication-related functions, while other subsystems may provide “resident” or on-device functions. In particular, some subsystems, such as keyboard 632 and display 622, are communication resident functions such as inputting text messages to be transmitted over a data communication network, and device resident such as calculators, task lists or other PDA-like functions. Used for both functions.

  The operating system software used by the microprocessor 638 is preferably stored in non-volatile memory, such as flash memory 624. In addition to the operating system and communication modules 624A-N, the flash memory 624 can also include a file system for stored data. The flash memory 624 is preferably provided with a storage area for storing digital certificates, address book entries, memorandums and promise information, and possibly other information. To speed up the operation, the operating system, the device's individual applications and modules, or portions thereof, can be temporarily loaded into a volatile storage device such as RAM 626. In addition, received communication signals may be temporarily stored in RAM 626 before being permanently written to a file system residing in flash memory.

  A typical application module 624N that can be loaded into the dual mode device 600 is a personal information manager (PIM) application with PDA functions such as schedule events, appointments and assignment items. Such a module is extracted from the digital certificate and, for example, using the expiration date or validity period stored in the appropriate data storage area in the flash memory 624 or RAM 626, the user of the mobile device 600 can receive the digital certificate. It is possible to provide an expiration date for a letter or a similar reminder. This module 624N can interact with the voice communication module 642A to manage phone calls, voice mail, etc., and can also interact with the data communication module 642B to manage email communications and other transmissions. it can. As another method, all the functions of the voice communication module 642A and the data communication module 642B can be integrated into the PIM.

  Flash memory 624 preferably includes a file system for facilitating storage of PIM data items for the device. The PIM application preferably includes the ability to send and receive data items via the wireless network 619 by itself or in conjunction with the voice and data communication modules 624A, 624B. This PIM data item is preferably seamlessly integrated, synchronized, and updated via a wireless network 619 with a set of corresponding data items stored or associated with the host computer device, thereby Create a mirror system for data items associated with a particular user.

  Although shown as flash memory 624, those skilled in the art will appreciate that other types of non-volatile storage devices can be used in addition to or in place of flash memory 624, for example, battery backed RAM. Will be.

  Alternatively, the mobile device 600 can be set in the interface cradle, and the serial port 630 of the mobile device 600 can be connected to the serial port of the host device to manually synchronize with the host device. The user uses the serial port 630 to make a desired setting, download and install another application module 642N through an external device or software application, or install a digital certificate as described above. You can also download it above. This wired download path can be used to load the encryption key into the mobile device, which is a safer method than exchanging encryption information via the wireless network 619.

  The user may add additional application module 624N through network 619 or through auxiliary I / O subsystem 628, or through serial port 630, or through short-range communication subsystem 640, or any other suitable subsystem 642. Can be loaded into the mobile device 600 and installed in the flash memory 624 or RAM 626. Such application installation flexibility increases the functionality of the mobile device 600 and may provide enhanced on-device functions, communication-related functions, or both. For example, secure communication applications allow electronic commerce functions and other similar economic transactions to be performed using mobile device 600.

  When the mobile device 600 is operating in the data communication mode, received signals such as text messages and web page downloads are processed by the transceiver 611 and provided to the microprocessor 638, preferably further processed there. To the display 622 or the auxiliary I / O device 628. For example, a digital certificate received by transceiver 611 in response to a request to PKS or attached to a security message is processed as described above, and if the digital certificate is not already stored, the flash memory Added to the digital certificate storage area in 624, the digital certificate information is extracted and stored in one or more data storage areas in the flash memory 624 as needed. The user of the mobile device 600 can also use other fully alphanumeric keyboards, such as the well-known DVORAK style, but preferably using the fully alphanumeric keyboard 632 laid out in the QWERTY style, e Data items such as email messages can be created. User input to the mobile device 600 is further augmented by a number of auxiliary I / O devices 628, which may include a fingerwheel circular input device, a touchpad, various switches, rocker input switches, and the like. The created data item input by the user can be transmitted to the communication network via the transceiver 611.

  The overall operation of the mobile device 600 when the mobile device 600 is operating in the voice communication mode is to output the received signal, preferably from the speaker 634, and the audio signal to be transmitted is generated by the microphone 636. Except for this, it is substantially the same as in the data mode. In addition, the secure message communication techniques described above may not necessarily apply to voice communication. Other voice or audio I / O subsystems, such as a voice mail recording system, may also run on the mobile device 600. The voice or audio signal output is preferably implemented primarily by the speaker 634, but the display 622 may also be used to provide a display of the other party's identity, voice phone elapsed time and other voice phone related information. Can do. For example, the microprocessor 638 can be coupled to the voice communication module 624A and operating system software to detect caller identification information of the incoming call and display it on the display 622.

  Short range communication subsystem 640 includes similarly equipped devices and equipment, including infrared devices and related circuitry and components, and short range wireless communication modules such as Bluetooth® modules and 802.11 modules. Communication with can be provided. Those skilled in the art are well aware that "Bluetooth" and "802.11" are each a set of standards for wireless personal area networks and wireless LANs available from the American Institute of Electrical and Electronics Engineers. Like.

  Variations of the systems and methods disclosed in this document can also be used. For example, although a wireless mobile communication device is shown in FIGS. 3 and 5 and described as one possible messaging client, the system and method disclosed in this document is useful for desktop and laptop computer devices, network connections It can also be implemented with undocumented message communication clients, including computer devices and other types of message communication clients.

  The digital certificate information storage system can also be configurable, and new data storage entries can be created only under certain conditions, depending on the communication functionality of the messaging client or user preferences. . For example, if the message communication client is an e-mail client, but the e-mail address is not included in the digital certificate, the information necessary for the message communication work cannot be used from the digital certificate. Can be configured not to create a new address book entry.

  FIGS. 9-11 describe additional communication systems in which a digital certificate information storage system can be used. FIG. 9 is a configuration diagram illustrating an example of a communication system. In FIG. 9, a corporate LAN 806, a wireless infrastructure 810, wireless networks 812 and 814, and mobile devices 816 and 818 are shown behind the computer device 802, the WAN 804, and the security firewall 808. The corporate LAN 806 has a direct link to a mobile device such as a message server 820, a wireless connector system 828, a data storage device 817 including at least a plurality of mailboxes 819, a physical connection 824 to an interface or connector 826. A desktop computer device having a wireless VAN router 832 is shown. The operation of the system in FIG. 9 is described below in relation to messages 833, 834 and 836.

  For example, the computing device 802 is a laptop, desktop, or palmtop computer configured to connect to the WAN 804. Such a computer device 802 can be connected to the WAN 804 via an ISP or an ASP. Alternatively, computing device 802 may be a networked computing device that accesses WAN 804 through a LAN or other network, such as computing device 822, for example. Many modern mobile devices are capable of connecting to a WAN through various infrastructure and gateway configurations, and the computer device 802 may be a mobile device.

  The corporate LAN 806 is an example of a centralized, server-based message communication system that enables wireless communication. A corporate LAN can also be referred to as a “host system”, in which the system includes a data storage 817 with a message mailbox 819 and possibly additional data storage for other data items (shown). These messages are sent to mobile devices 816 and 818, and wireless connector system 828, wireless VPN router 806, and possibly corporate LAN 806 and one or more mobile devices 816 and 818. Sent to or received from other components that allow communication between them. More generally, the host system is one or more computers on which the wireless connector system is operating in conjunction with or in connection with them. The corporate LAN 806 is one of the preferred embodiments of the host system, and the host system in the corporate network environment protected and operated behind at least one security firewall 808. Server computer running on Other central host systems that may be considered include ISPs, ASPs, and other service providers or mail systems. Although the desktop computer device 624 and the interface / connector 826 can be located outside such a host system, the operation of wireless communication will be similar as described below.

  The corporate LAN 806 implements the wireless connector system 828 as a component that enables the associated wireless communication, which is typically a software program, software built to work with at least one message server 820. An application or software component. The wireless connector system 828 transmits information selected by the user to one or more mobile devices 816 and 818 via one or more wireless networks 812 and 814, and receives information from them. used. The wireless connector system 828 may be a separate component of the message communication system, as shown in FIG. 9, or alternatively, some or all of it may be incorporated into other communication system components. Also good. For example, the message server 820 can incorporate a software program, application, or component that performs the wireless connector system 828, a portion thereof, or some or all of its functions.

  A message server 820 operating behind the firewall 808 allows businesses to exchange messages with WANs such as the Internet, including e-mail, schedule data, voice mail, electronic documents, and other PIM data. It plays the role as the main interface. This particular intermediary work and computer is not shown in FIG. 9 because of the message delivery mechanism and the particular type of network through which messages are sent. As described above, the function of the message server 820 is to send and receive messages by providing a mechanism such as a dynamic database storage device for data such as a schedule, a to-do list, an assignment list, an email, and a document. Can extend beyond.

  A message server, such as 820, typically maintains a plurality of mailboxes in one or more data storage devices, such as 817, for each user who has an account on that server. Data store 817 includes a mailbox 819 for several (“n”) user accounts. The message received by message server 820 identifies the user, user account, mailbox, and possibly other addresses associated with these users, accounts, or mailboxes 819, generally by the server, Is stored in the corresponding mailbox 819. If the message is addressed to multiple recipients or distribution lists, copies of the same message are stored in multiple mailboxes 819. Alternatively, the message server 820 stores a single copy of such a message in a data storage area accessible to all users who have an account on the message server 820, and each recipient in the mailbox 819. The mailbox 819 can store a pointer or other identification symbol. In a standard messaging system, a user typically uses a messaging client, such as Microsoft Outlook or Lotus Notes, that runs on a personal computer such as a desktop computer device 822 coupled to a LAN 806 and has his mailbox. 819 and its contents are accessed. Although only one desktop computer device 822 is shown in FIG. 9, those skilled in the art will recognize that a LAN typically includes many desktop, notebook, and laptop computer devices. Let's understand well. Each messaging client typically accesses the mailbox 819 through the message server 820, but in some systems, the messaging client may have a desktop computer device 822 with a data storage device 817 and a mailbox stored therein. Some allow direct access to 819. Messages can also be downloaded from the data storage device 817 to the local data storage device of the desktop computer device.

  Within the corporate LAN 806, the wireless connector system 828 operates with the message server 820. The wireless connector system 828 can reside on the same computer device as the message server 820, or alternatively, can run on other computer devices. Part or all of the software executing the wireless connector system 828 can also be integrated with the message server 820. The wireless connector system 828 and the message server 820 are preferably designed to cooperate and interact so that information can be pushed to the mobile devices 816, 818. In such a configuration, the wireless connector system 828 preferably passes information stored in one or more data storage devices connected to the corporate LAN 806 through the corporate firewall 808, the WAN 804, and the wireless network 812. It is configured to transmit to one or more mobile devices 816 and 818 via one of 814. For example, a user holding an account and its associated mailbox 819 in the data storage device 817 may have a mobile device such as 816. As described above, the message server 820 that has received the message identifies the user, account, and mailbox 819 and stores it in the corresponding mailbox 819. If the user holds a mobile device such as 816, messages received by the message server 820 and stored in the user's mailbox 819 are preferably detected by the wireless connector system 828 and the user's movement Transmitted to the device 816. This type of functionality represents a “push” message transmission technique. The wireless connector system 828 can alternatively employ a “pull” technique in which items stored in the mailbox 819 are responsive to requests or access operations performed using the mobile device. , Transmitted to the mobile device 816 or 818, or a combination of both techniques may be employed.

  Through the use of the wireless connector system 828, the message communication system including the message server 820 can be extended to allow each user's mobile device 816, 818 to access messages stored in the message server 820. Although the systems and methods described in this document are not limited to just push-based techniques, a detailed description of push-based messaging is described in the above-referenced US patent. This “push” technique uses wirelessly manageable coding, compression and encryption techniques to distribute all information to mobile devices, thereby effectively extending the corporate firewall 808 to mobile devices. 816 and 818 are included therein.

  As shown in FIG. 9, there are several paths for exchanging information with the mobile devices 816 and 818 from the corporate LAN 806. One powerful information transmission path is through the physical connection, such as a serial port, using an interface or connector 826. This path is often used, for example, when initializing the mobile device 816, 818, or when the user of the mobile device 816, 818 is working on a computer device within the LAN 806, such as the computer device 822. It is useful for large-scale information updates that are performed regularly. For example, as described above, PIM data is typically exchanged through a connection such as a serial port connected to a cradle in which mobile devices 816, 818 can be set or placed. Also, using the physical connection 824, a secret security key (“secret key”), such as a secret encryption key or digital signature key associated with the desktop computer device 822, from the computer device 822 to the mobile device 816, 818, Alternatively, other information can be transferred, including other relatively large amounts of information such as digital certificates and CRLs.

  Private key exchange using physical connection 824 and connector or interface 826 allows the user's desktop computing device 822 and mobile device 816 or 818 to access all encrypted and / or signed mail. Can share at least one identity. This also ensures that the user's desktop computer device 822 and mobile device 816 or 818 are either a host device 822 or a mobile device 816 or 818 with confidentiality addressed to an account on the user's mailbox or message server 820. The secret key can also be shared so that the protected message can be processed. Transfer of digital certificates and CRLs over such physical connections is desirable in representing large amounts of data required for S / MIME, PGP, and other public key security methods. The user's own digital certificate, the digital certificate chain and CRL used to verify the user's digital certificate, as well as the other user's digital certificate, digital certificate chain and CRL, and the user's desktop computer device 822 can be loaded onto mobile devices 816 and 818. This loading of the other user's digital certificate and CRL onto the mobile device 816, 818 allows the mobile device user to select other entities or users that may exchange security messages and Instead, a large amount of information can be preloaded on the mobile device through a physical connection, so that when receiving or sending a security message from such other users, or based on CRLs Time and radio bandwidth can be saved when determining the status of a digital certificate. In addition, when the system and method described in this document are adopted, CRL-based status confirmation can be omitted.

  In the well-known “synchronization” type of wireless messaging system, physical paths are also used to transfer messages from mailbox 819 connected to message server 820 to mobile devices 816 and 818.

  Another method for exchanging data with mobile devices 816 and 818 is wireless communication using wireless networks 812 and 814 through wireless connector system 828. As shown in FIG. 8, this includes using a wireless VPN router 832 if it is available in the network 806, or alternatively, providing an interface to one or more wireless networks, such as 814. A conventional WAN connection to the provided wireless infrastructure 810 can be used. The wireless VPN router 832 provides for the creation of a VPN connection to the wireless device 816 directly through the specific wireless network 812. Such a wireless VPN router 832 can be used in connection with a static destination designation mechanism. For example, if the wireless network 812 is an IP-based wireless network, IPV 6 provides a sufficient number of IP addresses to provide an IP address to any mobile device 816 configured to operate within the network 812. This makes it possible to push information towards the mobile device 816 at any time. The main advantage of using a wireless VPN router 832 is that it does not require a wireless infrastructure 810 and can be a ready-to-use VPN component. In the VPN connection, a message can be directly transmitted to and received from the mobile device 816 using a TCP / IP or UDP / IP connection.

  If the wireless VPN router 832 is not available, a link to the WAN, typically the Internet, is typically used as a connection mechanism that the wireless connector system 828 can employ. The infrastructure 810 is preferably used to handle the destination specification of the mobile device 816 and any other necessary interface functions. The wireless infrastructure 810 can also determine the most likely wireless network to locate a given user and track them as the user moves between countries and networks. In wireless networks such as 812 and 814, messages typically communicate with the mobile device through RF transmissions between the base station and the mobile device.

  For example, the wireless networks 812 and 814 can have several connection schemes, including ISDN, frame relay and TI connections using the TCP / IP protocol used throughout the Internet. The wireless networks 812 and 814 can represent separate, uncorrelated networks, or they can represent the same network in different countries, including but not limited to A variety of networks, including data-centric wireless networks, voice-centric networks, and dual-mode networks that support both voice and data communications with the same or similar infrastructure Can also be represented.

  In some implementations, one or more wireless information exchange mechanisms may be provided within the corporate LAN 806. For example, in FIG. 9, mobile devices 816 and 818 associated with a user holding a mailbox 919 linked to an account on the message server 820 are configured to operate on different wireless networks 812 and 814. If the wireless network 812 supports IPv6 addressing, the wireless connector system 828 uses the wireless VPN router 832 to exchange data with any mobile device 816 operating within the network 812. Can do. However, the wireless network 814 may be a different type of wireless network, such as a Mobitex network, and in such a case, instead, via a connection to the WAN 804 and the wireless infrastructure 810, the wireless network 814 The information is exchanged with the mobile device 818 operating in the network.

  Here, the operation of the system in FIG. 9 holds both an account and a mailbox 819 or similar data storage device transmitted from the computer device 802 and connected to the message server 820, and the mobile device 816 or 818. An e-mail message 833 addressed to at least one recipient will be described as an example.

  However, this email message 833 is intended for illustrative purposes only. Preferably, other types of information exchange is also possible between the corporate LAN 806 and the mobile device through the wireless connector system 828.

  The email message 833 sent from the computer device 802 via the WAN 804 may be fully plain text or may be digitally signed and / or encrypted, depending on the particular message communication mechanism used. For example, if a secure message communication using S / MIME is possible on the computer device 802, the email message 833 can be signed, encrypted, or both.

  Email messages such as 833 typically define the format of the email message using conventional SMTP, RFC32 header, and MIME body parts. These techniques are well known to those skilled in the art. When an email message 833 arrives at the message server 820, the server determines in which mailbox 819 the message 833 should be stored. As noted above, messages such as email message 833 are labeled with the user's name, the user's account, the mailbox identifier, or the message server 820 labeled a particular account or the associated mailbox 819. Other types of identification symbols are included. The recipient of the email message 833 is typically identified using the email address corresponding to the user account and its mailbox 819.

  If the wireless connector system 828 preferably detects that one or more triggering events have occurred, it may transfer a particular user selected data item or portion of the data item from the corporate LAN 806 to the wireless network 812 or 814. Via the user's mobile device 816 or 818. A trigger event includes, but is not limited to, one or more of the following: Activation of the screen saver of the user's network connection computer device 822, disconnection of the user's mobile device 816 or 818 and the interface 826, or transmission of one or more messages stored in the host device from the mobile device 816 or 818 The host device receives a command to start. In this manner, the wireless connector system 828 can be associated with one or more network-connected computer devices associated with the message server 820, such as receiving a command, or including a clean saver and disconnect event as described above. The occurrence of the associated trigger event can be detected. For example, if the wireless connector system 828 detects the occurrence of a trigger event for a mobile device user and wireless access to corporate data is activated on the LAN 806 for the mobile device 816 or 818, preferably, The data item selected by the user is transmitted to the user's mobile device. In the example of email message 833, if a trigger event is detected, the arrival of message 833 at message server 820 is detected by wireless connector system 828. This can be accomplished, for example, by monitoring or querying a mailbox 919 associated with the message server 820, and if the message server 820 is a Microsoft Exchange server, the wireless connector system 828 can , You can subscribe to an advice sink provided by the Microsoft Messaging Application Programming Interface (MAPI) so that you can be notified when new messages are stored in the mailbox 819.

  When sending a data item, such as an email message 833, to the mobile device 816 or 818, the wireless connector system 828 is preferably configured so that the information sent to and received by the mobile device 816 or 818 is as shown in FIG. The data items are repackaged in a manner that is transparent to the mobile device 816 or 818 so that the information appears to be stored and accessible on the LAN 806 host device. One preferred repackaging method is to wrap an incoming message to be sent over the wireless network 812 or 814 with an electronic envelope corresponding to the wireless network address of the mobile device 816 or 818 to which the message is sent. Alternatively, other packaging methods such as special purpose TCP / IP wrap techniques can be used. Such repackages also preferably came from the corresponding host device account or mailbox 819, even if the result was created and transmitted from the mobile device 816 or 818. It looks like this is an email message sent from a mobile device. Thus, the user of the mobile device 816 or 818 can effectively share a single email address between the host device account and the mailbox 819 and the mobile device.

  Repackaging of email message 833 is shown at 834 and 836. The repackaging approach can be the same for any available transmission path, or can vary depending on the specific transmission path of either the wireless infrastructure 810 or the wireless VPN router 832. For example, email message 833 is preferably compressed and encrypted before or after repackaging at 834, thereby providing secure transmission to mobile device 818. Compression reduces the bandwidth required for message transmission, and encryption ensures the confidentiality of any message or other information sent to mobile devices 816 and 818. On the other hand, the message transmitted via the VPN router 832 may be compressed only and not encrypted because the VPN set by the VPN router 832 is inherently secret. This allows the message to be viewed, for example, as a wireless connector system 828, which can be considered a non-standard VAN tunnel or VAN-like connection, or is encrypted by the VAN router 832 and sent securely to the mobile devices 816 and 818. Is done. In this way, accessing messages using mobile device 816 or 818 is not less secure than accessing a mailbox within LAN 806 using desktop computer device 822.

  When the repackaged message 834 or 836 arrives at the mobile device 816 or 818 via the wireless infrastructure 810 or via the wireless VPN router 832, the mobile device 816 or 818 receives the repackaged message 834 or 818. The external electronic envelope is removed from 836, where unnecessary thawing and decoding operations are performed. Messages sent from the mobile device 816 or 818 and addressed to one or more recipients are preferably repackaged as well, possibly compressed and encrypted, where they are sent to a host device such as the LAN 806. The host device can remove the electronic envelope from the repackaged message, decrypt and decompress the message as needed, and forward it to the destination recipient.

  Another goal in using the outer envelope is to maintain at least some of the destination information in the original email message 833. Although the outer envelope used to send information to the mobile device 816, 818 is addressed using the network address of one or more mobile devices, the outer envelope is preferably compressed and / or possibly The entire original e-mail message 833 is encapsulated, including at least one address field in an encrypted format. This allows the “To”, “From” and “CC” addresses in the email message 833 and the message content to be displayed on the mobile device 816 or 818 when the external envelope is removed. Also, by this repackaging, when the wireless connector system 828 removes the external envelope of the repackage transmission message sent from the mobile device, it reflects the account and mailbox on the mobile device user's host device. Along with the “From” field, the reply message can be delivered to the intended recipient. By using the user's account or mailbox address from the mobile device 816 or 818, a message transmitted from the mobile device is transmitted from the user's mailbox 819 or account on the host device, not from the mobile device. Can look like.

  FIG. 10 is a configuration diagram of another communication system, in which a component connected to an operator of a wireless network can perform wireless communication. As shown in FIG. 10, the system includes a computer device 802, a WAN 804, a corporate LAN 807 located behind the security firewall 808, a network operator infrastructure 840, a wireless network 811, and mobile devices 813 and 815. Yes. Computer device 802, WAN 804, security firewall 808, message server 820, data storage device 817, mailbox 819 and VAN router 835 are substantially the same as components in FIG. 9 that are similarly labeled. However, in FIG. 10, since the VPN router 835 communicates with the network operator infrastructure 840, this need not necessarily be a wireless VAN router. A network operator infrastructure 840 is coupled to the LAN 807 and computer devices 842 and 852, respectively, to allow wireless information exchange between mobile devices 813 and 815 configured to operate within the wireless network 811. ing. A plurality of computer devices 842 and 852 are shown in the LAN 807, each holding an interface / connector 848 or 858 and a physical connection 846 or 856. A wireless connector system 844 or 854 is operatively connected to the computer devices 842 and 852, respectively.

  The wireless connector systems 844 and 854 are similar to the wireless connector system 828 described above, as well as email messages and other items stored in the mailbox 819, and possibly local or network Data items stored in the storage device can be transmitted from the LAN 807 to one or more mobile devices 813 and 815. However, in FIG. 10, the network operator infrastructure 840 provides an interface between the mobile devices 813 and 815 and the LAN 807. The operation of the system shown in FIG. 10 as described above will be described below in connection with an e-mail message as an illustrative example of data items that can be transmitted to the mobile devices 813 and 815.

  If the message server 820 receives an email message 833 addressed to one or more recipients with an account on the message server 820, the message, or possibly the message stored in a central mailbox or storage device Are stored in such respective recipient mailboxes 819. If these messages 833 or pointers are stored in the mailbox 819, they can preferably be accessed using the mobile device 813 or 815. In the example shown in FIG. 10, email message 833 is addressed to a mailbox 819 associated with both desktop computer devices 824 and 852, and thus both mobile devices 813 and 815.

  Those skilled in the art will recognize that communication network protocols widely used in wired networks such as LAN 807 and / or WAN 804 are not appropriate and incompatible with wireless network protocols used in wireless networks such as 811. You will understand well. For example, communication bandwidth, protocol overhead, and network latency, which are major concerns in wireless network communications, but wired networks generally have much higher capacity and speed than wireless networks, These are less important than wireless. Therefore, normally, the mobile devices 813 and 815 cannot directly access the data storage device 817. A network operator infrastructure 840 provides a bridge between the wireless network 811 and the LAN 807.

  The network operator infrastructure 840 enables the mobile devices 813 and 815 to establish a connection with the LAN 807 through the WAN 804, which is operated by an operator of the wireless network 811 or the mobile device 813, for example. 815 may be operated by a service provider that provides a wireless communication service. In a pull-based system, the mobile device 813 or 815 is a communication mechanism that is compatible with the wireless network, preferably Wireless Transport Layer Security (WTLS) if the information needs to be kept secret. A communication session is established with the network operator infrastructure 840 using a security mechanism such as, and a wireless web browser such as a Wireless Application Protocol (WAP) browser. The user can then select either one stored in the mailbox 819 in the data storage device 817 of the LAN 807, for example, through manual selection or pre-selected defaults in software resident on the mobile device. Or request all information or just new information. The network operator infrastructure 840 establishes a connection or session with the wireless connector system 844, 854 using, for example, secure hypertext transfer protocol (HTTPS) if a session is not already established. Establish. As described above, a session between the network operator infrastructure 840 and the wireless connector system 844 or 854 can be set up via a standard WAN connection or through a VAN router 835 when available. . Network operator infrastructure 840 and wireless connector systems 844 and 854 can be used to minimize the time delay between receiving a request from mobile device 813 or 815 and returning the requested information to the device. Can be configured to remain open once a communication connection has been established.

  In the system of FIG. 10, requests originating from mobile devices A 813 and B 815 are sent to wireless connector systems 844 and 854, respectively. Upon receiving an information request from the network operator infrastructure 840, the wireless connector system 844 or 854 reads the requested information from the data storage device. With respect to email messages 833, the wireless connector system 844 or 854 is typically a messaging client operating in conjunction with a computing device 842 or 852, either via a message server 820 or directly. Can access the mailbox 819 through which the email message 833 is read from the appropriate mailbox 819. Alternatively, the wireless connector system 844 or 854 can be configured to access the mailbox 819 itself, either directly or through the message server 820. The wireless connector system 844 or 854 also accesses both other data storage devices, a network data storage device similar to the data storage device 817, and a local data storage device connected to the computer devices 842 and 852. Therefore, the mobile devices 813 and 815 can also be accessed.

  If the email message 833 is addressed to a message server account or mailbox 819 that is connected to both the computer devices 843 and 853 and the devices 813 and 815, the email message 833 is 860 and 862. To the network operator infrastructure 840, which sends its email copy to each mobile device 813 and 815, as shown at 864 and 866. Information is transmitted between wireless connector systems 844 and 854 and network operator infrastructure 840 via a connection to either WAN 804 or VPN router 835. If the network operator infrastructure 840 communicates with the wireless connector systems 844 and 854 and the mobile devices 813 and 815 with different protocols, the network operator infrastructure 840 can perform the conversion process. . Also, repackaging techniques can be used between the wireless connector systems 844 and 854 and the network operator infrastructure 840, and between each mobile device 813 or 815 and the network operator infrastructure 840. it can.

  Messages and other information transmitted from the mobile device 813 or 815 can be processed in a similar manner, and first such information is transmitted from the mobile device 813 or 815 to the network operator infrastructure 840. . The information is then sent by the network operator infrastructure 840 to the wireless connector system 844 or 854 and stored in the mailbox 819, for example, the message server 820 delivers it to any recipients addressed to it. Alternatively, the wireless connector system can distribute the information to the intended recipient.

  The description of FIG. 10 above relates to pull-based operation. Alternatively, wireless connector systems 844 and 854, and network operator infrastructure can be configured to push data items to mobile devices 813 and 815. Push / pull combinations are also possible. For example, a new message or a list of data items currently stored in the data storage of the LAN 807 can be pushed to the mobile device 813 or 815 and used to send a message from the LAN 807 via the network operator infrastructure 840. Or request data.

  If a mobile device connected to a user account on LAN 807 is configured to operate in different wireless networks, each wireless network will have an associated wireless network infrastructure similar to 840 You may do it.

  In the system of FIG. 10, separate and dedicated wireless connector systems 844 and 854 are shown for each computing device 842 and 845, but one or more wireless connector systems 844 and 854 are preferably The data storage device or the mail box 819 connected to the plurality of computer devices 842 and 852 or connected to the plurality of computer devices is accessed. For example, the wireless connector system 844 can be granted access to a mailbox 819 connected to both the computer device 842 and the computer device 852. In this case, the wireless connector system 844 processes a data item request from either the mobile device A 813 or B 815. This configuration is useful to allow wireless communication between the LAN 807 and the mobile devices 813 and 815 without requiring the desktop computer devices 842 and 852 to operate for each mobile device user. is there. Alternatively, the wireless connector system can be executed in conjunction with the message server 820 to perform wireless communication.

  FIG. 11 is a configuration diagram of another different communication system. The system includes a computer device 802, a WAN 804, a corporate LAN 809 located behind the security firewall 808, an access gateway 880, a data storage device 882, wireless networks 884 and 886, and mobile devices 888 and 890. Yes. Computer device 802, WAN 804, security firewall 808, message server 820, data storage device 817, mailbox 819, desktop computer device 822, physical connection 824, interface or connector 826 and VAN router 835 are substantially Is the same as the corresponding component. Access gateway 880 and data storage 882 provide mobile devices 888 and 890 with access to LAN 809 data item storage. In FIG. 11, the wireless connector system 878 operates on or in conjunction with the message server 820, but instead, the wireless connector system is connected to one or more desktop computer devices in the LAN 809. It can be operated on or connected to 822.

  Wireless connector system 878 provides for the transfer of data items stored on LAN 809 to one or more mobile devices 888 and 890. These data are preferably stored in an email message stored in a mailbox 819 in the data storage device 817 and possibly in a local storage device such as the data storage device 817 or other network data storage device or 822. Contains other stored items.

  As described above, an email message 833 addressed to one or more recipients who have an account at the message server 820 and received by the message server 820 is stored in the mailbox 819 of each such recipient. In the system of FIG. 11, the external data storage device 882 preferably has a structure similar to that of the data storage device 817 and is always synchronized with it. The PIM information and data stored in the data storage device 882 can preferably be changed separately from the PIM information and data stored in the host device. In this particular configuration, separately modifiable information on external data storage device 882 is stored in a plurality of data storage devices connected to the user (ie, data on mobile devices, data on personal computers at home, enterprises). Synchronization can be maintained between LAN data and the like. This synchronization can be achieved, for example, by the wireless connector system 878 at predetermined time intervals, whenever an entry in the data storage device 817 is added or changed, or at a particular time of day, or on the LAN 809. When the message server 820 or the computer device 822 poses, when posed by the data storage device 882, or perhaps when the device 888 or 890 poses through the access gateway 880, the update information is sent to the data storage device. This can be achieved by transmitting to 882.

  For example, in the case of the e-mail message 833, update information transmitted to the data storage device 882 after a while after receiving the e-mail message 833 is stored in a predetermined mailbox 819 in the storage device 817. And that a copy of the email message is stored in a corresponding storage area in the data storage device 882. If the email message is stored in the mailbox 819 corresponding to the mobile devices 888 and 890, one or more copies of the email message as shown at 892 and 894 in FIG. It will be sent to 882 and stored in the corresponding storage area or mailbox in it. As shown, a copy of the update information or information stored in the data storage device 817 can be sent to the storage device 882 via a connection to the WAN or the VPN router 835. For example, the wireless connector system 878 can send update information and stored information to resources in the data storage device 882 through an HTTP update request. Alternatively, a security protocol such as HTTPS or Secure Sockets Layer (SSL) can be used. Those skilled in the art will appreciate that data items stored in multiple locations on the LAN 809 data storage device can be sent to the data storage device 882 for storage in a single copy. Copies of this data item are stored in corresponding locations in the data storage device 882, or stored in the data storage device 882 as a single copy, and the stored data item pointer or identification symbol is stored in the data Each corresponding location in storage device 882 can be stored.

  Access gateway 880 is an effective access platform in that it provides mobile devices 888 and 890 with access to data storage 882. The data storage device 882 can be configured as an accessible resource on the WAN 804 and the ISP system or WAP gateway can be the access gateway 880 through which the mobile devices 888 and 890 connect to the WAN 804. A WAP browser or other browser compatible with the wireless networks 884 and 886 can be used to access the data storage device 882, thereby synchronizing the device with the data storage device 817 and automatically Alternatively, the stored data 817 is downloaded in response to a request from the mobile devices 888 and 890. As illustrated at 896 and 898, copies of the email message 833 stored in the data storage device 817 are transmitted to the mobile devices 888 and 890. As a result, the data storage device in each of the mobile devices 888 and 890 is synchronized with the portion such as the mailbox 819 of the data storage device 817 in the corporate LAN 809. Changes to the data stored in the mobile device are similarly reflected in the data storage devices 882 and 817.

  The embodiments described in this document are examples of structures, systems and methods having components corresponding to the components of the present invention detailed in the claims. This written description enables one of ordinary skill in the art to make and use embodiments having similar alternative components that correspond to the components of the invention as detailed in the claims. Accordingly, the intended scope of the present invention includes other structures, systems and methods that do not differ from the literal wording of the claim, and other, substantially different from the literal wording of the claim. Structure, systems and methods are included.

FIG. 1 is a configuration diagram of a message communication system. FIG. 2 is a block diagram illustrating a message communication system and secure email message exchange. FIG. 3 is a configuration diagram of a mobile device having a digital certificate information storage area. FIG. 4 is a flow diagram illustrating a method for storing digital certificate information. FIG. 5 is a flowchart illustrating a method of creating and transmitting a message that is a target of digital certificate information stored in the digital certificate information storage area. FIG. 6 is a flow diagram illustrating a method for performing operations associated with a digital certificate based on events associated with the digital certificate. FIG. 7 is a structural block diagram of the digital certificate information storage system. FIG. 8 is a configuration diagram of a mobile radio communication device. FIG. 9 is a configuration diagram illustrating an example of a communication system. FIG. 10 is a configuration diagram of another communication system. FIG. 11 is a configuration diagram of another communication system.

Claims (46)

A method for storing digital certificate information from a digital certificate received by a messaging client, comprising:
Extracting digital certificate information from the digital certificate;
Determining whether the extracted digital certificate information is stored in a data storage device of the message communication client;
Storing the extracted digital certification information in the data storage device if the extracted digital certification information is not stored in the data storage device. The method of claim 1, wherein storing the extracted digital certificate information in a data storage device comprises:
Creating a new entry in the data storage device;
Storing the extracted digital certificate information in its entry in the data storage device. 2. The method of claim 1, wherein storing the extracted digital certificate information in a data storage device includes storing the extracted digital certificate information in an existing entry in the data storage device. Method. 2. The method of claim 1, wherein the digital certification information includes an object identification symbol and additional digital certification information, and determines whether the extracted digital certification information is stored in a data storage device of a message communication client. The steps to do are
Determining whether the object identifier is stored in an existing entry in the data storage device;
Determining whether additional digital certification information is stored in the existing entry in the data storage device if the object identification symbol is stored in the existing entry in the data storage device; Including
The step of storing the extracted digital certification information in the data storage device includes the step of storing the additional digital certification information in the data storage device when the additional digital certification information is not stored in an existing entry in the data storage device. A method comprising the step of storing in that existing entry. The method of claim 4, comprising:
If the existing entry in the data storage device does not contain the object identifier, the method further comprises creating a new entry;
The step of storing the extracted digital certification information in a data storage device further comprises the step of storing an object identification symbol and additional digital certification information in its new entry in the data storage device. The method of claim 1, wherein the digital certificate is an X509 digital certificate. The method of claim 1, comprising:
If a digital certificate is received, storing the digital certificate in the digital certificate storage area of the messaging client;
Generating a signal that the digital certificate is stored in a digital certificate storage area. 8. The method of claim 7, wherein extracting digital certificate information from the digital certificate includes parsing the digital certificate to extract digital certificate information. The method of claim 7, comprising:
Storing the digital certificate in the digital certificate storage area of the messaging client;
Parsing the digital certificate to create parsed digital certificate data;
Storing the parsed digital certificate in a digital certificate storage area,
The step of extracting digital certificate information from the digital certificate includes extracting the digital certificate information from the parsed digital certificate data. The method of claim 1, comprising:
The digital certificate includes a subject identifier identifying the entity associated with the digital certificate;
The method of extracting digital certificate information from the digital certificate includes extracting an object identification symbol from the digital certificate. 11. The method of claim 10, wherein the object identification symbol includes an email address. 12. The method of claim 11, wherein the data storage device includes an address book. The method of claim 2, comprising:
The data storage device includes an address book;
The method of creating a new entry in the data storage device further comprises setting a security message communication flag associated with the new entry to indicate that a digital certificate associated with the new entry has been received. . 14. A method according to claim 13, comprising:
Creating a message in the messaging client;
Accessing a new entry in the data storage device and addressing the message to the recipient;
Determining whether to perform a security action on the message based on a security message communication flag associated with the new entry. The method of claim 14, wherein the security action is an encryption action. 15. The method of claim 14, wherein determining whether to perform a security action on a message based on a security message communication flag associated with the new entry comprises:
Determining whether the secure message communication flag associated with the new entry is set;
Instructing a messaging client user to determine whether to perform a security action on the message upon determining that the security message communication flag associated with the new entry is set. The method of claim 3, comprising:
The data storage device includes an address book;
Storing the extracted digital certificate information in an existing entry in the data storage device;
Determining whether the secure message communication flag associated with the existing entry is set;
If it is determined that the security message communication flag associated with the existing entry is not set, the step of setting the security message communication flag to indicate that the digital certificate information has been stored in the existing entry And a method further comprising: The method of claim 17, comprising:
Creating a message in the messaging client;
Accessing an existing entry in the storage device and addressing the message to the recipient;
Determining whether to perform a security action on the message based on a security message communication flag associated with the existing entry. The method of claim 18, wherein determining whether to perform a security action on a message based on a security message communication flag associated with the existing entry comprises:
Determining whether a secure message communication flag associated with an existing entry is set;
Instructing a user of the messaging client to determine whether to perform a security action on the message upon determining that the secure message communication flag associated with the existing entry is set. . The method of claim 1, comprising:
The extracted digital certificate information includes an object identification symbol and digital certificate validity information,
Determining whether to store the extracted digital certificate information in a data storage device of a message communication client,
Determining whether the object identification symbol is stored in an existing entry in the data storage device;
Whether the digital certificate validity information is stored in the existing entry in the data storage device when it is determined that the object identification symbol is not stored in the existing entry in the data storage device Determining whether or not
Storing the digital certification information in the data storage device comprises:
If the target identification symbol is not stored in the existing entry of the data storage device, a new entry is created in the data storage device, and the target identification symbol and the digital certificate validity information are stored in the new entry. And steps to
Storing the digital certificate validity information in the existing entry of the data storage device if the object identification symbol is stored in the existing entry of the data storage device. The method of claim 20, comprising:
Determining whether the digital certificate is invalid based on the object identification symbol and the digital certificate validity information;
And notifying the messaging client user that the digital certificate is invalid upon determining that the digital certificate is invalid. The method according to claim 21, wherein a validity period is defined in the digital certificate validity information. The method according to claim 21, wherein an expiration date is defined in the digital certificate validity information. The method of claim 1, wherein the messaging client is executed on the mobile communication device. A system for storing digital certification information in a messaging client,
A digital certificate loader module configured to receive a digital certificate;
After the digital certificate loader module receives the digital certificate, it extracts the digital certificate information from the digital certificate and determines whether the extracted digital certificate information is stored in an existing entry in the first data storage device A digital certificate information injector configured to store the extracted digital certificate information in the first data storage device if the extracted digital certificate information is not stored in the existing entry of the first data storage device; A system that includes modules. 26. The system of claim 25, wherein when the digital certificate information injector module determines that the extracted digital certificate information is not stored in an entry in the first data storage device, the first A system further configured to create a new entry in the data storage device. 27. The system of claim 26, comprising:
The extracted digital certification information includes the object identification symbol and additional digital certification information,
The digital certificate information injector module is
Determining whether the object identification symbol is stored in an entry in the first data storage device, and determining that the object identification symbol is not stored in an entry in the first data storage device; Creating a new entry in the first data storage device and storing the object identifier and additional digital certification information in the new entry in the first data storage device;
When it is determined that the object identification symbol is stored in the entry in the first data storage device, it is determined whether the additional digital certification information is stored in the entry in the first data storage device; A system further configured to store the additional digital certification information in its entry in the first data storage device when it is determined that the additional digital certification information is not stored in the first data storage device. 26. The system of claim 25, further comprising a second data storage device, wherein the digital certificate loader module is configured to store the digital certificate in the second data storage device. 30. The system of claim 28, wherein the digital certificate information injector module detects a received digital certificate stored in the second data storage device and upon such detection, the received digital certificate. A system that is further configured to retrieve documents. 29. The system of claim 28, wherein the digital certificate loader module is configured to notify a digital certificate information injector module when a received digital certificate is stored in a second data storage device. System. 26. The system of claim 25, wherein
The system further includes a digital certificate storage area;
The digital certificate loader module is configured to parse a digital certificate, create parsed digital certificate data, and store the parsed digital certificate data in a digital certificate storage area;
A system in which the digital certificate information injector module is configured to retrieve digital certificate information from parsed digital certificate data stored in a digital certificate storage area. 26. The system of claim 25, wherein the digital certificate loader module is configured to provide digital certificate information to the digital certificate information injector module. 26. The system of claim 25, wherein the message communication client is a wireless mobile communication device. 30. The system of claim 28, wherein the digital certificate information injector module extracts digital certificate information of a digital certificate from a second data storage device, and the digital certificate information extracted from the second data storage device comprises: When it is determined whether the digital certificate information extracted from the second data storage device is not stored in the entry in the first data storage device. The system further configured to store the extracted digital certification information in the first data storage device. 35. The system according to claim 34, wherein the first data storage device includes an address book storage area for storing contact destination information and a promise storage area for storing promise information. A method for managing digital certification data stored in a mobile communication device, comprising:
Receiving the transmitted digital certification data in the mobile communication device;
Comparing the transmitted digital certification data with digital certification data stored in a memory store in the mobile communication device;
Updating the memory store to store transmission digital certificate data not stored in the memory store. 38. The method of claim 36, wherein the step of comparing the transmitted digital certificate data with digital certificate data stored in a memory store comprises:
Selecting a digital certification identification symbol associated with the transmitted digital certification data;
Determining whether the digital certificate identifier is stored in a memory store. 38. The method of claim 37, wherein updating the memory store to store transmission digital certificate data not stored in the memory store comprises:
Storing the digital certificate identifier in the memory store when it is determined that the digital certificate identifier is not stored in the memory store;
Storing the transmitted digital certification data in a memory store;
Associating the transmitted digital certificate data with a digital certificate identifier. 40. The method of claim 38, comprising:
Setting a security message communication identifier in the memory store;
Associating the secure messaging symbol with a digital certificate identifier. 40. The method of claim 39, wherein the memory store is an address book storage device and the digital certificate identifier is an email address. 41. The method of claim 40, comprising:
Creating a message on the mobile communication device;
Addressing the message to an email address;
Determining whether to perform a security action on the message based on the security message communication identifier. 42. The method of claim 41, wherein determining whether to perform a security action on a message based on a security message communication identifier comprises:
Determining whether a secure message communication identifier is set; and
Instructing the user of the mobile communication device to select a security measure for the message if the security message communication identifier is set. 37. The method of claim 36, comprising:
Selecting a validity event for the digital certificate based on the digital certificate data stored in the memory store;
Notifying the user of the occurrence of the validity event. 44. The method of claim 43, wherein the validity event is the end of the validity period of the digital certificate. 44. The method of claim 43, wherein selecting a validity event for a digital certificate based on digital certificate data stored in the memory store comprises:
Storing validity event data in a second memory store;
Accessing the second memory store periodically to determine if a validity event has occurred. 46. The method of claim 45, wherein the second memory store is a schedule event store and the validity event is a digital certificate revocation.

Images